Mein Konto

Virus Removal Tools

Virus Calendar

Virus Hoaxes

Virus Glossary

Regional Virus

  Virus Newsletters

Security News

Anti-Virus Tips

Online Guide for
Related Links


VirusScan 7.0

Anti-Virus DAT

Virus Profile: Linux/Slapper.worm.c

Risk Assessment  
  - Home Users: Low-Profiled
  - Corporate Users: Low-Profiled
Date Discovered: 22.09.2002
Date Added: 24.09.2002
Origin: Unknown
Length: 70,981 bytes (unlock.c)
Type: Virus
SubType: Internet Worm
DAT Required: 4225

Virus Family Statistics (over the past 30 days)

Virus Name Infected Files Scanned Files % Infected Computers
Linux/Slapper.worm 2 112.679 0,00
Linux/Slapper.worm.a 4 168.552 0,00
Linux/Slapper.worm.b 2 112.680 0,00
Linux/Slapper.worm.c 3 157.310 0,00
Linux/Slapper.worm.gen 2 112.679 0,00

Virus Characteristics

This worm spreads over Apache with mod_ssl installation on many Linux platforms using a previously disclosed vulnerability in the OpenSSL library, up to, and including, versions 0.9.6d and 0.9.7 beta 1. It is a modified derivative of the BSD/Scalper worm from which it inherits the propagation strategy. It scans an entire class B subnet created by choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.

The worm only attacks specific Linux distributions by sending an initial http request on port 80 and examining the Server: header response. Only if the target server is running one of these distributions the worm proceeds with attacking port 443 (https). Target distributions are:

Linux dist Apache dist
Gentoo unknown
Debian 1.3.26
Red-Hat 1.3.6 1.3.9 1.3.12 1.3.19 1.3.20 1.3.26 1.3.23 1.3.22
SuSE 1.3.12 1.3.17 1.3.19 1.3.20 1.3.23
Mandrake 1.3.14 1.3.19 1.3.20 1.3.23
Slackware 1.3.26

Although only these distributions are known to be attacked by the Slapper worm the openSSL vulnerability may affect other platforms as well and new variants may have a broader target range. Note that the vulnerability is not related to the Apache web server or to mod_ssl. To fix the vulnerability it is recommended that users update OpenSSL to the latest version.

On a vulnerable system, the worm uploads itself in the form of a uuencoded source file, decodes it and then compiles the source into an ELF binary. The binary is detected as Unix/Scalper.worm.gen (it does bear certain similarity to BSD/Scalper.worm so they are detected generically). The technique of local recompilation is used to circumvent any potential instability issues when running a Linux binary on different Linux distributions/flavors. The worm relies on the existence and accessibility of a local copy of C compiler. The name and location of the encoded file, decoded source and binary files is given in "Symptoms".

The infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. Any command received by one computer is retransmitted to the other members of the worm network.

Commands received from the P2P network include:

  • ip4, ip6, tcp, syn, udp, dns flooding
  • Scan the file system for valid email
  • Produce multiple copy of itself on the filesystem
  • Add entries to crontab
  • Send information about the compromised system to specific email addresses
  • Indications of Infection

    Presence of the following files:
    • tmp/.unlock.c
    • tmp/.update.c
    • /tmp/.unlock.uu
    • /tmp/httpd

    Method of Infection

    This Slapper variant uses the following methods:
    • P2P: port 4156 udp is used for control instructions
    • Files: /tmp/.unlock.c /tmp/.update.c (source) - /tmp/.unlock.uu (uuencoded) - /tmp/http (bin)
    • incorporates additional mailing routine to mail the list of compromised hostnames to the author (
    • drops additional backdoor component (/tmp/.update.c) which listens on port 1052 protected with password
    • the worm's process name has been changed to "httpd" presumably to disguise itself in the process list

    Removal Instructions

    Detection is included in the specified DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

    Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

    You need to inspect the contents of 'crontab' file and remove unwanted entries.

    It is advisable to remove the C compiler from the server or restrict the access rights to the compiler. Disabling compilers on production systems is recommended as a good security practice.

    Administrators should regularly check for availability of important security updates/patches.

    Recommended links:

    Informationen zu McAfee Werbung bei uns Partnerprogramm Kontakt Investoren Partner Presse Datenschutz
    Sites weltweit:
    Copyright © 2003-2009, McAfee, Inc. Alle Rechte vorbehalten.
    McAfee für Privatanwender Datenschutz.